Indictment for Hacking

7/27/2019 Indictment for Hacking

1/37

EUG SG /2009R00080UNITED STATES DISTRlCT COURT

DISTRlCT OF NEW JERSEYUN ITED STATES OF AMERlCA Han. Jerome B. Simandle

v. Criminal No. 09-626 (18S) (S -2)VLADIMIR DRlNKMAN, 18 U.S.C. 371 , 1030, 1343, 1349, and 2

ROMAN KOTOV,


2/37

The Grand Jury in and for the District ofNew Jersey, sitting at Newark, charges:COUNT ONE(Computer Hacking Conspiracy)

1. At various times relevant to this Second Superseding Indictment:The Defendants

a. Defendant VLADIMIR DRINKMANRINKMAN"), resided in or near Syktyvkar, Russia, and Moscow,

Russia. As set forth more fully below, DRINKMAN was a sophisticated hacker, who specializedin penetrating and gaining access to the computer networks ofmultinational corporations,financial institutions and payment processors; harvesting data, including, among other things,credit card, debit card, and other customer account information, from within the compromisednetworks; and exfiltrating that data out of the compromised networks.

b. Defendant ALEKSANDR KALININ ,KALIN IN") resided in or near St.


3/37

d. Defendant MIKHAIL RYTIKOV,YTIKOV"), resided in or

near Odessa, Ukraine. As set forth more fully below, RYTIKOV provided anonymous webhosting services to DRINKMAN, KALININ , KOTOV, and others, that they used to both hackinto the computer networks of a number of victim companies, and exfiltrate (that is, covertlyremove) data from the networks of those victims.

e. DMITRIY SMILIANETS,") , resided in or near

Moscow, Russia. As set forth more fully below, SMILIANETS was responsible for selling theinformation that DRINKMAN, KALININ, KOTOV, and others obtained through their hackingactivities, and for disbursing the proceeds from the sale of that information to DRINKMAN,KALININ, KOTOV, and others.

Co-conspiratorsf. Albert Gonzalez, a/k/a "segvec," a/k/a "soupnazi," a/k/a "j4guar17"


4/37

Overview of the Hacking Conspiracyj. From at least as early as August 2005 through at least July 2012,

defendants DRINKMAN, KALININ, KOTOV, RYTIKOV, and SMILIANETS (collectively the"Defendants"), together with their co-conspirators, operated a prolific hacking organization thatwas responsible for several of the largest known data breaches. Among other exploits during thatperiod, the Defendants and their co-conspirators penetrated the secure computer networks ofseveral of the largest payment processing companies, retailers, and financial institutions in theworld, and stole the personal identifying information of others, such as user names andpasswords ("Log-In Credentials"), means of identification ("Personal Data"), credit and debitcard numbers ("Card Numbers"), and corresponding personal identification information ofcardholders (collectively the "Stolen Data").

k. Conservatively, the Defendants and their co-conspirators unlawfully

acquired over 160 million Card Numbers through their hacking activities. After acquiring thisinformation, which they referred to as "dumps" - hacker shorthand for Card Numbers and


5/37

by just three of the Corporate Victims, and immeasurable losses to the identity theft victims dueto the costs associated with stolen identities and fraudulent charges.

Selected Methods of Hacking Utilized by Defendantsm. Structured Query Language ("SQL") was a computer programming

language designed to retrieve and manage data in computer databases.n. "SQL Injection Attacks" were methods of hacking into and gaining

unauthorized access to computers connected to the Internet.o. "SQL Injection Strings" were a series of instructions to computers used by

hackers in furtherance of SQL Injection Attacks.p. "Mal ware" was maliCious computer software programmed to, among other

things, gain unauthorized access to computers; to identify, store, and export infonnation fromhacked computers; and to evade detection of intrusions by anti-virus programs and other security

features running on those computers.q. "Tunneling" was a method employed to create a connection between a


6/37

located in, among other places, Middlesex County, New Jersey. Beginning in or about May2007, NASDAQ was the victim ofa SQL Injection Attack that resulted in the placement ofmalware on its network, and the theft of Log-in Credentials.

b. 7-Eleven, Inc. ("7-Eleven") was headquartered in Dallas, Texas, and wasthe corporate parent of a convenience store chain by the same name. 7-Eleven processed creditand debit card transactions through its computer networks. Beginning in or about August 2007,7-Eleven was the victim of a SQL Injection Attack that resulted in mal ware being placed on itsnetwork and the theft of an undetermined number of Card Numbers.

c. Carrefour S.A. ("Carrefour") was a French multinational retailerheadquartered in Greater Paris, France, and was one of the largest retailers in the world in termsof revenue and profit. Beginning as early as October 2007, Carrefour's computer networks werebreached and approximately 2 million credit Card Numbers were subsequently exfiltrated.

d. JCPenney, Inc. ("JCP") was a major national retailer with its headquartersin Plano, Texas. JCP processed credit card payments for its retail stores through its computer


7/37

f. Heartland Payment Systems, Inc. ("Heartland"), which was located in ornear Princeton, New Jersey, and Plano, Texas, among other places, was one of the world's largestcredit and debit card payment processing companies. Heartland processed millions of credit anddebit transactions daily. Beginning on or about December 26,2007, Heartland was the victim ofa SQL Injection Attack on its corporate computer network that resulted in mal ware being placedon its payment processing system and the theft ofmore than approximately 130 million CardNumbers, and losses of approximately $200 million.

g. Wet Seal, Inc. ("Wet Seal") was a major national retailer with itsheadquarters in Foothill Ranch, California. Wet Seal processed credit and debit card paymentsfor its retail stores through its computer network. In or about January 2008, Wet Seal was thevictim of a SQL Injection Attack that resulted in the placement ofmalware on its network.

h. Commidea Ltd. ("Commidea") was a European provider of electronicpayment and transaction processing solutions for retailers, with its headquarters in the UnitedKingdom. From at least as early as March 2008 through in or about November 2008, mal ware


8/37

J. JetBlue Airways ("JetBlue") was an airline with its headquarters in LongIsland City, New York. Between in or about January 2008 and in or about February 2011,JetBlue suffered an unauthorized intrusion resulting in the placement ofmalware on portions ofits computer network that stored Personal Data of its employees.

k. Dow Jones, Inc. ("Dow Jones") published news, business, and financialinformation worldwide in newspapers, on television and radio, over news wires, and on theInternet. Dow Jones's computer infrastructure was based largely in New Jersey, as well as inMinnesota, New York and elsewhere. In or before 2009, Dow Jones was the victim ofunauthorized access to its computer network resulting in the placement ofmal ware on itsnetwork and the theft of approximately 10,000 sets ofLog-In Credentials.

1. "Bank A" was one of the leading domestic banks in the United ArabEmirates, and was headquartered in Abu Dhabi. Between in or about December 2010 and in or

about March 2011, malware was placed on Bank A's computer networks, and was used tofacilitate the theft ofCard Numbers.


9/37

institution clients through "VisaNet," a centralized and modular payments network. Visa JordanCard Services ("Visa Jordan") was a Visa licensee, and Jordan's premier payment cardprocessor. Between in or about February 2011 and in or about March 2011, Visa Jordan was thevictim of SQL Injection Attacks that resulted in the placement ofmal ware on its network, and thetheft of approximately 800,000 Card Numbers.

o. Global Payment Systems ("Global Payment") was one of the world'slargest electronic transaction processing companies, with its headquarters in Atlanta, Georgia.Between in or about January 2011 and in or about March 2012, Global Payment was the victimof SQL Injection Attacks on its computer network that resulted in mal ware being placed on itspayment processing system and the theft ofmore than 950,000 Card Numbers, and losses ofapproximately $92.7 million.

p. Discover Financial Services, Inc. was a financial services company, which,among other things, issued the Discover Card credit card, and since in or about April 2008 hasowned the Diners Club International ("Diners") charge card network. Diners provided a variety


10/37

2012 , Ingeni card was the vict im ofSQL Inj ect ion Attacks that resu lted in malware being placedon its network and the theft ofCa rd Numbers, which were later used to wi thdraw over $9 millionwithin twenty-four hours.

r. NASDAQ, 7-Eleven, Ca rrefour , JCP, Hannafo rd , Hea rtl and, Wet Seal,Commidea, Dexia, JetBlue, Dow Jones, Bank A, ElIIo net, Visa Jordan, Global Payment, Diners,and Ingeni card are collectively referred to here in as the "Corpo rate Victims. "

THE CONSPIRACY

3. Between in or about August 2005 and in or about July 20 12, in Mercer andMiddlesex Counties, in the District ofNew Jersey, and elsewhere, defendants

VLADIMIR DRTNKMAN,

ALEKSAN DR KALiNTN,


11/37

andDMITRlY SMILIANETS,

did knowingly and intentionally conspire and agree with each other, Go nzalez, Toey, CC # I , andothers to commit offenses aga inst the United States, namely:

a. by means of interstate communications, intentiona lly accessing computersin interstate commerce without authorization, and exceeding authorized access, and th erebyobtaining information from those computers, namely Log-In Crede ntials, Personal Data, andCard Numbers, for the purpose of commercial advantage and private financial gain, contrary toTitle 18 , United States Code, Sections 1030(a)(2)(C) and (c)(2)(B)(i) ; and

b. knowingly and with intent to defraud access ing computers in interstatecommerce wi thout authorization and exceed ing authorized access to such computers , and by


12/37

MANNER AND MEANS OF THE CONSPIRACY5. The manner and means by which DRINKMAN, KALININ, KOTOV, RYTIKOV,

SMILIANETS, Gonzalez, Toey, CC #1, and others, sought to accomplish the conspiracyincluded, among other things, the following:

Scouting Potential Victimsa. It was part of the conspiracy that DRINKMAN, KALININ, KOTOV,

Gonzalez, and Toey would identify corporate victims by researching websites and otherpublications to find corporations that engaged in financial transactions.

b. It was further part of the conspiracy that DRINKMAN, KALININ,KOTOV, Gonzalez, and Toey would probe potential vulnerabilities in the websites of thecorporations they discovered in their research to identify potential corporate victims.

c. It was further part of the conspiracy that between in or about 2007 and inor about 2008, Gonzalez and Toey would travel to retail stores of potential corporate victims inorder to first identify the payment processing systems that the would-be victims used at their


13/37

and elsewhere (collectively, "the Hacking Platforms") to (1) store malware; (2) stage attacks onthe Corporate Victims' networks; and (3) receive stolen Log-In Credentials, Personal Data, andCard Numbers from these networks.

e. It was further part of the conspiracy that RYTIKOV would lease some ofthe Hacking Platforms to KALIN IN , SMILIANETS, and others for use in attacking the CorporateVictims' networks.

f. It was further part of the conspiracy that DRINKMAN, KALIN IN ,KOTOV, Gonzalez, Toey, and others would provide each other and others with SQL InjectionStrings and malware that could be used to gain unauthorized access to the Corporate Victims'networks and to locate, store, and transmit Log-In Credentials, Personal Data, and Card Numbersfrom those networks.

g. It was further part of the conspiracy that DRINKMAN, KALININ,KOTOV, Gonzalez, Toey, and others would hack into the Corporate Victims' networks usingvarious techniques, including, among others, SQL Injection Attacks, to steal, among other things,


14/37

conduct network reconnaissance for the purpose of finding and stealing Log-In Credentials,

Personal Data, Card Numbers, and other valuable information within the Corporate Victims'networks.

J. It was further part of the conspiracy that once DRINKMAN, KALININ,KOTOV, Gonzalez, and others hacked into the Corporate Victims' networks, they would install"sniffer" programs that would capture Card Numbers, and other information on a real-time basisas the information moved through the Corporate Victims' credit and debit card processingnetworks, and then periodically transmit that information to the co-conspirators.

k. It was further part of the conspiracy that DRINKMAN, KALININ,KOTOV, Gonzalez, Toey, and others would communicate via instant messaging services whiletheir unauthorized access was taking place in order to advise each other as to how to navigate theCorporate Victims' networks and how to locate Log-In Credentials, Personal Data, CardNumbers, and other valuable information.

1. It was further part of the conspiracy that DRINKMAN, KALININ,


15/37

n. It was further part of the conspiracy that D RINKMAN, KALININ,KOTOV, Gonzalez, Toey, and others would conceal their attacks by disguising, through the useof "proxies," the Internet Protocol addresses from which their attacks originated.

Bullet-proof Hostingo. It was further part of the conspiracy that R YTIKOV offered "bullet-proof

hosting" services to his co-conspirators (i. e., leasing servers from which law enforcementsupposedly could not gain access or obtain information). "Bullet-proof hosting" servicesincluded frequently changing the locations ofHacking Platforms, erasing the contents of HackingPlatforms on short notice, accepting false credentials to register and lease Hacking Platforms, anddiscouraging Internet Service Providers from deactivating Hacking Platforms suspected of illegalactivity.

Advanced Techniquesp. It was further part of the conspiracy that DRINKMAN, KALININ,

KOTOV, SMILIANETS, Gonzalez, Toey, and others would conceal their efforts by storing data


16/37

Communications

r. It was further part of the conspiracy that DRINKMAN, KALININ,KOTOV, SMILIANETS, Gonzalez, Toey, and others would conceal their efforts bycommunicating over the Internet using more than one messaging screen name. After becomingaware that law enforcement tracked certain communications using known messaging services,the co-conspirators established private and encrypted communications channels to avoiddetection. Fearing that even these encrypted communication channels could be monitored,several of the co-conspirators ultimately attempted to conduct their communications in person.

Profiting from the Attackss. It was further part of the conspiracy that DRINKMAN, KALIN IN

KOTOV, and others would provide SMILIANETS with dumps to sell.t. It was further part of the conspiracy that SMILIANETS would sell the

dumps to dumps resellers, who, in turn, sold them to individuals that encoded them onto themagnetic strips ofblank plastic cards, which they and others used to make unauthorized ATM


17/37

wire transfer to individuals and accounts controlled by CC# 1, a money exchanger based in Kiev,Ukraine.

w. It was further part of the conspiracy that CC#I, after deducting a fee,would forward money he received on SMILIANETS's behalf to SMILIANETS by, among otherthings, depositing it directly into WebMoney' accounts that SMILIANETS controlled, andsending cash from Ukraine to Russia through couriers recruited by CC#1, SMILIANETS, andothers.

OVERT ACTS6. In furtherance of the conspiracy, and to effect its unlawful objects, the co-

conspirators committed and caused to be committed the following criminal acts, among others, inthe District ofNew Jersey and elsewhere:

NASDAQ and JetBlue7. On or about May 19, 2007, KALININ identified a security vulnerability at a

NASDAQ web page that enabled NASDAQ's customers to obtain on-line password reminders


18/37

10. On or about August 12,2007, after KALININ accessed NASDAQ's computer

network, KALININ sent Gonzalez an instant message stating that the network was about "30SQL servers, and we can run whatever on them, already cracked admin PWS but the network notviewable yet." KALININ further commented that "those dbs are hell big and I think most of infois trading histories."

11. On or about January 9, 2008, in response to an offer from Gonzalez to help attackNASDAQ, KALININ told Gonzalez via instant message that "NASDAQ is owned."

12. On or before January 9, 2008, KALININ obtained administrative access - that is,access sufficient to permit him to perform network or systems administrator functions - toNASDAQ's computer network, and noted to Gonzalez via instant message that he hadmaintained that access for a long time.

13. On or about March 18, 2008, KALININ wrote to Gonzalez via instant messagethat DRINKMAN had lost "back door" access to NASDAQ, that KALININ had reacquired it,and that KALININ would not lose it again.


19/37

17. In or about October 2009, a co-conspirator caused a NASDAQ computer toattempt to communicate with the Bahamas Server that KALININ rented from RYTIKOV.

Carrefour

18. On or about October 29, 2007, during an instant messaging chat, Gonzalez andKALININ discussed a vulnerability in Carrefour's network:

KALIN IN : I have some big europe retailer ..Gonzalez: carrefour?KALININ: yaGonzalez: they're BIGKALININ: I just picked up a top 100 retailersKALIN IN : saw them on 2nd placeKALININ: their networks seems to be connected, cuz I saw franceetc hacking spain one

19. On or about October 30, 2007, KALININ informed Gonzalez that he and


20/37

KALININ: yep

Gonzalez: is [DRINKMAN] owning carrefour?KALININ: yep

20. Between in or about 2007 and in or about 2008, DRINKMAN, KALININ andKOTOV accessed Carrefour's network and exfiltrated approximately 2 million Card Numbersfrom Carrefour's computer networks.

21. Following the intrusion described above, SMILIANETS sold dumps obtainedfrom Carrefour's computer networks.

Heartland and JCP22. On or about November 6, 2007, Gonzalez transferred a computer file named

"sqlz.txt" that contained information stolen from JCP's computer network to a Hacking Platformin Ukraine ("the Ukraine Server").

23. On or about November 6,2007, Gonzalez transferred a computer file to theUkraine Server named "injector.exe" that matched mal ware placed on both Heartland and JCP's


21/37

messages providing Card Numbers obtained by DRINKMAN and KALININ from the Heartland

hack.Wet Seal26. During an instant messaging chat on or about December 4,2007, Gonzalez and

KALININ discussed potential vulnerabilities in Wet Seal's network:KALININ: yoGonzalez: whats up?KALININ : I forgot again what I was going to tell hehGonzalez: I asked [DRINKMAN] for some help finding sql'ing in

wetseal.com I think I found one inhttp://web.wetseal.com[ ..].KALININ: vulnerableGonzalez: how did you check?

27. In or about January 2008, over an instant messaging service, Gonzalez sent Toey aSQL Injection String that was used to penetrate Wet Seal's computer network (the "Wet Seal


22/37

KALININ: [REDACTED COMMAND]

KALININ: I quitKALININ: [REDACTED PORT NUMBER]Gonzalez: you're using [REDACTED PORT NUMBER] though:)Gonzalez: ahh okGonzalez: how did you get on the web servers?KALININ: [REDACTED COMMAND]KALININ : this one is web

* * * *

Gonzalez: btw, can you ask [DRINKMAN] for his universalh o o k e r / l o g g e ~ for wetseal?

KALIN IN : I cant get him online last days29. On or about April 22, 2008, Gonzalez modified a file on the Ukraine Server that

contained computer log data stolen from Wet Seal's computer network.


23/37

32. In or about 2008, DRINKMAN and KOTOV exfiltrated approximately 30 million

Card Numbers.33. Following the intrusion described above, SMILIANETS sold dumps obtained

from Commidea's networks, including sales between February 2008 and November 2008 toHorohorin.

Hannaford34. Between in or after March 2007 and in or about May 2008, Gonzalez participated

in a discussion over an instant messaging service in which one of the participants stated"planning my second phase against Hannaford."

35. Between in or after December 2007 and in or about May 2008, Toey participatedin a discussion over an instant messaging service in which one of the participants stated "that'show [DRINKMAN] hacked Hannaford."

36. During an instant messaging chat on or about March 18, 2008, Gonzalezforwarded KALININ a link to an article discussing the intrusion into Hannaford's networks and


24/37

Gonzalez:

Gonzalez:KALININ:KALININ:

* * * *

hannaford lasted 3 month of sales before it was on news, imtrying to figure out how much time its gonig [sic] to bealive for

* * * *

hannaford will spend millions to upgrade their security!! 101hahathey would better pay us to not hack them again

38. Following the intrusion described above, SMILIANETS sold dumps obtained

from Hannaford's computer networks.

39. Between in or about May 2008 and in or about August 2008, KALININ leased aHacking Platform from RYTIKOV located in Panama ("the Panama Server").

40. Between in or about February 2008 and in or about August 2008, a co-conspirator


25/37

Dow Jones and the Odessa Server43. On or about August 8, 2008, KALININ asked RYTIKOV through instant message

to custom-build him a Hacking Platform.44. Between on or about August 8, 2008 and on or about August 11, 2008, R YTIKOV

built a Hacking Platform for KALININ that was located in Odessa, Ukraine ("the OdessaServer").

45. On or about August 11,2008, RYTIKOV gave access to the Odessa Server toKALININ and assigned it to a particular Internet Protocol address.

46. Later that day, KALININ complained to RYTIKOV that the network speed to theOdessa Server was not fast enough for KALININ because KALIN IN needed to be able todownload approximately 32 gigabytes of information at one time.

47. On or about August 18, 2008, KALININ used the Odessa Server to store "rainbowtables," which were lists of possible passwords made for use with password-cracking software.The lists ofpossible passwords in rainbow tables were approximately 34 gigabytes in size.


26/37

51. Between in or about August 2008 and on or about June 24, 2009, KALININ used

the Odessa Server to store and later delete approximately 30,000 sets of Log-In Credentials(mainly user names and encrypted passwords) belonging to Dow Jones employees and DowJones user accounts.

52. Between on or about August 28, 2008 and on or about June 24, 2009, KALININused the Odessa Server to open a file transfer connection with the Bahamas Server used in theattack on NASDAQ and JetBlue.

Euronet53. Between in or about July 2010 and in or about December 2011, a co-conspirator

caused the insertion of a file named "medll.exe" on Euronet's computer network, which allowedoutside users to run programs on Euronet's network from the German Leaseweb and HetznerOnline Servers. "medll.exe" used the same unique encryption key as the mal ware used in theDow Jones and JCP intrusions described above, among others.

54. Between in or about February 2010 and in or about April 2011, KALININ


27/37

56. In or about 2011, the German Leaseweb or Hetzner Online Servers were used to

access Internet Protocol addresses associated with Global Payments.Bank A57. In or about 2010, KALININ gained access to the computer networks ofBank A.58. In or about 2010, DRINKMAN asked SMILIANETS to open an account at Bank

A to assist DRINKMAN in learning how Bank A's computer networks operated.59. From in or about 2010 through in or about 2012, DRINKMAN, KALlNlN and

KOTOV used the same Hetzner Online Server that was used in the Euronet and Global Paymentsintrusions to facilitate access into Bank A's networks.

Visa Jordan60. In or about 2009, KALININ discovered a vulnerability in Visa Jordan's network,

and gained access to it by means of a SQL Injection Attack.61. On or about February 27,2011, KALINlN and others accessed Visa Jordan's

network from the IP address XX.:XXX.80.94, which was also used to access a Hacking Platform


28/37

64. In or about 20 II, KALININ , DRINKMAN and others exfiltrated approximately

800,000 Card Numbers from Visa Jordan's computer networks.65. Following the intrusion described above, SMILIANETS sold dumps obtained

from Visa Jordan's networks.Diners Singapore66. Between in or about June 2011 and May 2012, KALININ discovered a

vulnerability in Diners Singapore's network, and gained access to it by means of a SQL InjectionAttack.

67. In or about June 20 II, KALININ and DRINKMAN loaded mal ware named"mint.exe" onto Diners Singapore's computer networks to establish a remote connection to aserver they controlled. The same file was used in the attack on Global Payment.

68. In or about June 2011, KALININ and DRINKMAN loaded mal ware named"tt.vbs" onto Diners Singapore's computer networks to facilitate the downloading of files fromthe networks. A similar file was used in the attack on Global Payment.


29/37

Ingenicard71. Beginning on or about March 21, 2012, DRINKMAN gained access to

Ingenicard's computer networks.72. On or about March 21, 2012, DRINKMAN downloaded three pieces of mal ware -

"gsc.exe," "gsc2.exe," and "sl.exe" - onto an Ingenicard computer server from the samecompromised Swiss server discussed in paragraph 69 above that was also used to download someof the same malware onto Global Payment's networks.

73. After gaining access to Ingenicard's networks, DRINKMAN manipulatedIngenicard's systems to permit unlimited withdrawals from Ingenicard customer accounts.Thereafter, DRINKMAN exfiltrated approximately 23 Card Numbers from Ingenicard'scomputer networks, which were later used to withdraw over $9 million within a twenty-four hourperiod.

All in violation ofTitle 18, United States Code, Section 371.


30/37

COUNT TWO(Conspiracy to Commit Wire Fraud)

1. The allegations contained in paragraphs 1,2 , and 6 through 73 of Count One ofthe Second Superseding Indictment are realleged and incorporated as if set forth herein.

2. Between in or about October 2006 and in or about July 2012, in Mercer andMiddlesex Counties, in the District ofNew Jersey, and elsewhere, defendants

VLADIMIR DRfNKMAN,

ROMAN KOTOV,


31/37

did knowingly and intentionally conspire and agree with each other, Gonzalez, Toey, CC#I, andothers to devise a scheme and artifice to defraud the Corporate Victims, their customers, and thefinancial institutions that issued credit and debit cards to those customers, and to obtain moneyand property by means of materially false and fraudulent pretenses, representations, andpromises, and, for the purpose of executing the scheme and artifice to defraud, to transmit andcause to be transmitted, by means of wire communication in interstate and foreign commerce,certain writings, signs, signals, pictures, and sounds, contrary to Title 18, United States Code,Section 1343.

OBJECT OF THE CONSPIRACY3. It was the object of the conspiracy for DRINKMAN, KALININ, KOTOV,

SMILIANETS, Gonzalez, Toey, CC#I, and others to profit from the sale and fraudulent use ofCard Numbers stolen from the Corporate Victims' computer networks.

MANNER AND MEANS OF THE CONSPIRACY


32/37

6. It was further part of the conspiracy that those who purchased dumps wouldfurther distribute them throughout the United States and elsewhere using wire communications ininterstate and foreign commerce, where they would be used to make unauthorized purchases atretail locations, to make unauthorized withdrawals from banks and financial institutions, and tofurther identity theft schemes.

All in violation ofTitle 18, United States Code, Section 1349.


33/37

COUNTS THREE THROUGH EIGHT(Unauthorized Computer Access)

1. The a llegations contained in paragraphs 1, 2, and 6 through 73 of Cou nt One ofthe Second Superseding Indictment are realleged and incorporated as if set forth herein.

2. On or about the dates set forth below, in Mercer and Middlesex Counties, in theDistrict ofNew Jersey, and elsew here, defendants

VLADIMIR DRlNKMAN ,

ROMAN KOTOV,


34/37

and thereby obtained information from those computers, namely Log-In Credentials, PersonalData, and Card Numbers, for the purpose of commercial advantage and private financial gain:

Count Approximate Date Corporate Victim3 August 2007 7-Eleven4 October 23, 2007 JC Penney5 December 26, 2007 Heartland6 January 2008 Wet Seal7 January 2008 JetBlue8 2009 Dow JonesAll in violation of Title 18, United States Code, Sections 1030(a)(2)(C) and (c)(2)(8)(i).


35/37

COUNTS NINE THROUGH ELEVEN(Wire Fraud)

I. The allegations contained in paragraphs 1, 2, and 6 through 73 of Count One ofthe Second Superseding Indictment are rea lleged and incorporated as if set forth herein.

2. On or about the dates se t forth below, in Mercer and Middlesex Counties, in theDistrict ofNew Jersey, and elsewhere, defendants

VLADIMIR DRINKMAN,

ALEKSANDR KALININ ,

ROMAN KOTOV,


36/37

did knowingly and intentionally devise and intend to devise a scheme and artifice to defraud andto obtain money and property from the Corporate Victims identified below by means ofmaterially false and fraudulent pretenses, representations, and promises, and, for the purpose ofexecuting and attempting to execute such scheme and artifice, did knowingly transmit and cause

i

to be transmitted by means of wire communication in interstate and foreign commerce, writings,signs, signals, pictures, and sounds, namely, Log-In Credentials and Card Numbers.

Count Approximate Date Corporate Victim9 August 2007 7-Eleven10 December 26, 2007 HeartlandI I 2009 Dow JonesAll in violation ofTitle 18 , United States Code, Sections 1343 and Section 2.

CASE NUMBER: 09-626 (JBS) (S-2)


37/37

VLADIMIR DRINKMAN,

MIKHAIL RYTIKOV,

United States District CourtDistrict of New Jersey

UNITED STATES OF AMERICAv.

ALEKSANDR KALININ,

and DMITRIY SMILIANETS,

INDICTMENT FOR18 V.S.c. 371, 1030, 1343, 1349, and 2

A True Bi l l ,

ForepersonPAUL J . FISHMAN

UNITED STATES ATTORNEYNElvARK NEW JERSEY

EREZ LIEBERtolANN & GURBIR S . GRE\1ALAsSISTANT U _S . ATTORNEYS

973-645-2874 /2931

USA-48AD 8(E d . 1 / 97 )

ROMAN KOTOV,

Documents

Indictment for Hacking